Published using Google Docs
Concerns about Windows 11, CoPilot, and Recall
Updated automatically every 5 minutes

Hello,

I'm writing out of deep concern over the University's decision to require that all faculty and staff PC's operate on Windows 11, particularly and most importantly in light of the most recent revelations about Windows 11 CoPilot and Recall applications.

To be specific, information security experts have demonstrated that Recall will take continuous screenshots of active pages, OCR them, and then store the resulting OCR as plaintext in an SQLite database:

https://www.theverge.com/2024/6/3/24170305/microsoft-windows-recall-ai-screenshots-security-privacy-issues

https://doublepulsar.com/recall-stealing-everything-youve-ever-typed-or-viewed-on-your-own-windows-pc-is-now-possible-da3e12e9465e

As an instructor of record and a PI and co-PI on several grants and research projects, I regularly access privileged and personally identifying information which I am required by University code and state and federal law to safeguard and anonymize as far as possible. These forthcoming Windows 11 "features" directly jeopardize my ability to do this work, and in fact create an active threat surface placing our work and the interests of our students in danger. Frankly, the likelihood of FERPA violations in relation to these tools is very high: https://studentprivacy.ed.gov/resources/best-practices-data-destruction

Put simply, this is a data privacy and security nightmare.

To this end, I ask that the University and T provide to all faculty and staff assurances that these tools and systems can be and will have been disabled prior to pushing any global updates; clear opt-out and deactivation processes for these tools on the user end; and clear alternatives for the Windows 11 OS and hardware, including, if possible, rollbacks to stable and supported Windows 10 versions, until such time as the former provisions may be secured. And while Microsoft is almost certainly taking steps in this situation, I think we must push for them to be taken far more quickly and comprehensively, before work like this is deployed by bad actors, rather than good faith researchers: https://www.wired.com/story/total-recall-windows-recall-ai/

Until these remedies are available, the entirety of the Windows 11 ecosystem, and thus the data and IT security ecosystem of the University as a whole, are compromised.

Best,